A fintech startup hired an AI agency in San Francisco to build a credit underwriting model in early 2025. The model used alternative data—transaction patterns, utility payment history, and behavioral signals—to expand credit access to borrowers with thin credit files. On paper, it was a noble mission: helping underserved populations access credit. In practice, the model created a compliance nightmare. The CFPB examined the model and found that several of the alternative data features served as proxies for race and ethnicity. The transaction pattern features correlated with neighborhood demographics. The behavioral signals correlated with age. The model expanded credit access for some groups while systematically disadvantaging others. The fintech received a consent order requiring $4.8 million in remediation and restitution. The AI agency's role in the model development became the subject of a separate enforcement inquiry.
AI in lending is one of the most heavily regulated applications of artificial intelligence. Fair lending laws have decades of case law and regulatory guidance. Model risk management standards are detailed and prescriptive. The consequences of non-compliance are severe—not just fines, but consent orders, operating restrictions, and reputational damage that can end a company. If your agency builds AI for lending, you must understand this compliance landscape at a deep level.
The Fair Lending Regulatory Framework
Equal Credit Opportunity Act (ECOA)
ECOA prohibits discrimination in credit transactions on the basis of race, color, religion, national origin, sex, marital status, age, receipt of public assistance, or the good faith exercise of consumer rights. ECOA applies to all aspects of a credit transaction, including the use of AI models in underwriting, pricing, and servicing.
Key implications for AI agencies:
- AI models used in credit decisions must not discriminate on the basis of prohibited factors, either directly or through disparate impact
- If an AI model uses features that correlate with prohibited factors (proxies), the model may violate ECOA even without using prohibited factors directly
- Lenders must provide specific reasons for adverse actions (denial, unfavorable terms). AI models must be capable of generating these reasons
Fair Housing Act (FHA)
The Fair Housing Act prohibits discrimination in residential real estate-related transactions, including mortgage lending. If your AI is used in mortgage underwriting or pricing, FHA compliance is required in addition to ECOA.
Community Reinvestment Act (CRA)
CRA requires banks to meet the credit needs of the communities they serve, including low- and moderate-income neighborhoods. AI models that effectively redline communities by using geographic or demographic proxies can create CRA compliance issues.
State Fair Lending Laws
Many states have fair lending laws that are broader than federal requirements. Some prohibit discrimination based on additional categories (source of income, gender identity, immigration status). Identify the states where your client operates and ensure compliance with all applicable state laws.
CFPB Guidance on AI and Fair Lending
The CFPB has issued multiple circulars and guidance documents addressing AI in lending:
- Adverse action notices: The CFPB requires that adverse action notices provide the specific, principal reasons for the action. "The AI model scored you below the threshold" is not sufficient. The lender must identify the specific factors that most influenced the adverse decision.
- Proxy discrimination: The CFPB has made clear that using features that serve as proxies for prohibited factors violates fair lending laws, even if the model does not use prohibited factors directly.
- Black-box models: The CFPB has expressed concern about the use of opaque AI models in lending, emphasizing that lenders must be able to explain their credit decisions regardless of the complexity of the model.
Model Risk Management Standards
OCC Bulletin 2011-12 (SR 11-7): The Office of the Comptroller of the Currency's model risk management guidance applies to all models used by banks, including AI models. It requires:
- Model development with sound methodology
- Independent model validation
- Ongoing model monitoring
- Model governance with clear roles and responsibilities
- Documentation of all model development, validation, and monitoring activities
Federal Reserve SR 11-7: The Federal Reserve's model risk management guidance mirrors OCC 2011-12 and applies to bank holding companies and state member banks.
FDIC guidance: The FDIC has issued parallel guidance for FDIC-supervised institutions.
If your client is a bank or regulated financial institution, their AI models must comply with these model risk management standards. If your client is a non-bank fintech, they may not be directly subject to these standards, but they are increasingly used as best practice benchmarks and may be required by bank partners.
Technical Compliance Requirements
Feature Selection and Proxy Analysis
The most common compliance failure in lending AI is proxy discrimination—using features that correlate with prohibited factors.
Conducting proxy analysis:
- Calculate the correlation between each input feature and each prohibited factor (race, sex, age, etc.)
- Features with statistically significant correlations are potential proxies
- For each potential proxy, evaluate whether it is legitimately predictive of creditworthiness independent of its correlation with prohibited factors
- Document the analysis and the justification for retaining or removing each feature
Common proxy traps:
- ZIP code and geographic data: Highly correlated with race and ethnicity due to residential segregation
- Educational institution: Can correlate with race, national origin, and socioeconomic status
- Transaction patterns: Can correlate with neighborhood demographics
- Social media data: Correlates with multiple protected characteristics
- Name-based features: Obviously problematic, but sometimes inadvertently included in text processing
- Employment type or industry: Can correlate with race, sex, and national origin
Disparate Impact Testing
Beyond proxy analysis, test the model's outcomes for disparate impact.
How to test:
- Run the model on a representative dataset with known demographic characteristics
- Calculate approval rates, denial rates, and pricing outcomes by demographic group
- Apply statistical significance tests to identify disparate impact
- If disparate impact exists, evaluate whether the model can be modified to reduce disparate impact without sacrificing legitimate predictive power
- Document the testing methodology, results, and any remediation actions
Testing challenges:
- Demographic data may not be available for all applicants. Use BISG (Bayesian Improved Surname Geocoding) or similar techniques to estimate demographics when self-reported data is unavailable.
- Small sample sizes for some demographic groups may make statistical testing unreliable. Accumulate data over time and use appropriate statistical methods for small samples.
- Intersectional analysis (looking at combinations of protected characteristics) is increasingly expected by regulators but technically challenging.
Adverse Action Reason Generation
ECOA requires that lenders provide specific reasons for adverse credit decisions. For AI models, this means the model must be able to identify the factors that most contributed to an unfavorable decision for each individual applicant.
Approaches:
- SHAP (SHapley Additive exPlanations): Provides feature-level explanations for individual predictions. Each feature's contribution to the decision is quantified.
- LIME (Local Interpretable Model-agnostic Explanations): Creates local interpretable approximations of the model's behavior around specific predictions.
- Inherently interpretable models: Logistic regression, decision trees, and other interpretable models provide natural explanations. Some regulators prefer these models in lending contexts.
- Reason code mapping: Map model features to standardized adverse action reason codes. The top contributing features for a specific decision map to specific reason codes that are provided to the applicant.
Requirements for adverse action reasons:
- Reasons must be specific (not generic)
- Reasons must be the principal factors that influenced the decision
- Reasons must be actionable—the applicant should understand what they could change to improve their outcome
- Reasons must be accurate representations of how the model actually works
Model Documentation
Lending AI requires extensive documentation that exceeds what most AI agencies typically produce.
Model development documentation:
- Purpose and intended use of the model
- Data sources and data preparation procedures
- Feature engineering methodology
- Feature selection and proxy analysis results
- Model architecture and hyperparameter choices
- Training methodology
- Performance metrics on training, validation, and test sets
- Fair lending testing results
- Known limitations and weaknesses
Model validation documentation:
- Validation methodology and scope
- Independent assessment of model performance
- Independent fair lending analysis
- Stress testing results
- Benchmarking against alternative approaches
- Findings and recommendations
- Management response to findings
Model monitoring documentation:
- Monitoring metrics and thresholds
- Monitoring frequency
- Escalation procedures for out-of-threshold conditions
- Historical monitoring results
- Actions taken in response to monitoring findings
Governance Framework for Lending AI
Model Risk Management Program
Your lending AI governance framework should align with SR 11-7 / OCC 2011-12 requirements.
Model inventory: Maintain a complete inventory of all AI models in use, including model name, purpose, owner, risk tier, validation status, and next review date.
Model risk tiering: Classify models by risk level based on the materiality of the decisions they inform. Models that directly influence credit approval or pricing are typically Tier 1 (highest risk).
Model development standards: Define standards for how models are developed, including data quality requirements, feature selection procedures, fair lending testing, documentation requirements, and approval processes.
Model validation: All models must be validated by qualified, independent parties before deployment and at least annually thereafter. Validation must assess conceptual soundness, developmental evidence, and outcome analysis.
Model monitoring: Define ongoing monitoring requirements including performance monitoring, fair lending monitoring, data quality monitoring, and model stability monitoring.
Model governance committee: Establish a governance committee (or participate in your client's committee) that reviews and approves models, reviews monitoring results, and makes decisions about model modifications and retirements.
Fair Lending Compliance Program
Testing program: Define the schedule and methodology for fair lending testing. Include both pre-deployment testing and ongoing monitoring.
Remediation procedures: Define how fair lending issues are investigated and remediated. Include timelines, responsible parties, and escalation procedures.
Regulatory examination readiness: Maintain documentation and processes that enable you to respond to regulatory examinations efficiently. Regulators will ask for model documentation, fair lending testing results, and monitoring reports. Have these ready.
Training: Ensure that your team understands fair lending requirements. This is not just a technical issue—it requires understanding the legal framework, regulatory expectations, and the specific compliance requirements of your clients' industries.
Client Engagement Model
Pre-engagement assessment: Before agreeing to build lending AI for a client, assess their regulatory status (bank vs. non-bank), their existing compliance infrastructure, their data availability for fair lending testing, and their appetite for compliance investment.
Shared responsibility framework: Document which compliance activities are your agency's responsibility and which are the client's. Typically:
- Agency responsibility: Model development with fair lending considerations, proxy analysis, disparate impact testing, model documentation, adverse action reason generation capability
- Client responsibility: Regulatory filing, ongoing monitoring execution, regulatory examination response, business decisions about model deployment and thresholds
- Shared responsibility: Model validation, fair lending testing strategy, remediation decisions
Ongoing support: Lending AI is not a build-and-hand-off engagement. Plan for ongoing model monitoring, periodic re-validation, and regulatory response support.
Alternative Data Considerations
Alternative data (data beyond traditional credit bureau information) is one of the most promising and most perilous areas of lending AI.
Legitimate uses of alternative data:
- Rent payment history (widely accepted by regulators)
- Utility payment history (generally accepted)
- Bank account cash flow analysis (increasingly accepted, with appropriate controls)
- Educational and professional credentials (accepted with proxy analysis)
High-risk alternative data:
- Social media activity (significant proxy risks, questionable predictive value)
- Device and browser data (proxy risks, privacy concerns)
- Shopping behavior (proxy risks)
- Psychometric data (scientifically questionable, regulatory skepticism)
- Location data (significant proxy risks for redlining)
For any alternative data source, ask:
- Is this data legitimately predictive of creditworthiness?
- Does this data serve as a proxy for prohibited factors?
- Can applicants access and dispute this data?
- Is the data accurate and representative?
- Does using this data expand or contract credit access for underserved populations?
Common Compliance Failures
Using geographic data without proxy analysis. ZIP codes and census tract data are among the strongest proxies for race and ethnicity. If your model uses geographic features, conduct thorough proxy analysis and be prepared to justify their inclusion.
Treating model explanation as optional. In lending, explanation is a legal requirement, not a nice-to-have. If your model cannot generate specific, accurate adverse action reasons, it is not ready for deployment.
Insufficient documentation. Lending model documentation requirements are extensive. The documentation produced for a typical AI project is nowhere near sufficient for a lending model. Budget additional time and resources for documentation.
One-time fair lending testing. Fair lending compliance is not a checkbox at launch. It requires ongoing monitoring with regular testing cycles. Build this into your service agreements and pricing.
Ignoring model risk management standards. If your client is a bank, SR 11-7 / OCC 2011-12 applies. If you are not familiar with these standards, you are not qualified to build lending AI for banks. Learn them or partner with someone who knows them.
Using training data that reflects historical bias. Historical lending data contains historical discrimination. If you train on historical approval/denial data, you are training the model to replicate historical bias. Use debiasing techniques, test extensively, and consider whether the training data is appropriate.
Your Next Step
If your agency is considering lending AI as a service offering, invest in regulatory education before you take on your first client. Read SR 11-7, the CFPB's guidance on AI in lending, and the ECOA and Regulation B. Attend a fair lending compliance conference or training program. Talk to compliance officers at banks and fintechs about their expectations for model vendors.
Then build your compliance infrastructure: fair lending testing tools, documentation templates, proxy analysis procedures, and adverse action reason generation capabilities. This infrastructure is the moat that separates qualified lending AI agencies from agencies that are one regulatory examination away from an enforcement action.
The lending AI market is enormous and growing. But it is a market that rewards compliance maturity and punishes recklessness. Build the compliance foundation first, and the revenue follows.